[VoiceOps] Web Attacker Blacklist

Oren Yehezkely orenyny at gmail.com
Wed Oct 23 08:37:36 EDT 2013


J,

Did you intend to provide the script for others to use and add data, or
just the data you collected so far?

Regards,

Oren


On Wed, Oct 23, 2013 at 8:04 AM, J. Oquendo <sil at infiltrated.net> wrote:

> On Tue, 22 Oct 2013, Jay Hennigan wrote:
>
> > On 10/22/13 6:57 AM, J. Oquendo wrote:
> > >
> > > Going to cross post this to the list (I know some of us
> > > criss-cross lists). Reasoning, a lot of IP PBXs have
> > > web based interfaces, and some need to be on the public
> > > Internet.
> > >
> > > Cobbled together a script to scrape my logs, parse out web
> > > based attackers (SQLi, XSS, CSRF, etc) and compile said list
> > > for blacklisting. Script is pulling from 6 different web
> > > servers for now. I may add more later depending on whether
> > > or not I see a lot of usage.
> > >
> > > http://www.infiltrated.net/webattackers.txt
> >
> > Thanks.  I personally would like to see it as solely raw IP addresses
> > rather than a mix of IPs and PTRs.  The PTRs may not match forward DNS,
> > particularly if a bad guy has control of rDNS.
> >
>
> I changed it up, but will leave existing domains on there.
> I thought about this (domains vs. IPs) in the sense that,
> filtering (WAF) often tends to rely on domains. Then I
> thought about matching domains to IPs on that instance but
> it wouldn't have been cumbersome considering anyone can
> edit /etc/hosts or c:\windows\system32\etc\drivers\hosts
> so I left it alone. As of about 20 minutes of the original
> post, I re-configured Apache to stop hostname lookups.
>
> --
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
>
> "Where ignorance is our master, there is no possibility of
> real peace" - Dalai Lama
>
> 42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20131023/882da341/attachment.html>


More information about the VoiceOps mailing list